elytron-tool.sh and non-file based PKCS11

[Nate]

I am unable to use elytron-tool.sh to create a PKCS11 backed credential store and store a password on a FIPS enabled RHEL8 system. It is not an option to bypass the FIPS restrictions.

After enabling FIPS this is what my java.security file has:
[root@local-rhel8 opt]# grep fips.provider.1=SunPKCS11 /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-4.el8.x86_64/conf/security/java.security -A4
fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
fips.provider.3=SUN
fips.provider.4=SunEC
fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS

[root@local-rhel8 opt]# grep fips.keystore.type /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-4.el8.x86_64/conf/security/java.security
fips.keystore.type=PKCS11

Attempt at running elytron-tool.sh to create a credential store:

[root@local-rhel8 opt]# wildfly-26.1.3.Final/bin/elytron-tool.sh credential-store --create --add secret-key --secret password --password asdf --location /root/init.cs --properties "keyStoreType=PKCS11;keyAlias=my-key" --debug
Exception encountered executing the command:
org.wildfly.security.credential.store.CredentialStoreException: ELY09508: Cannot write credential to store
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.store(KeyStoreCredentialStore.java:413)
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.CredentialStore.store(CredentialStore.java:242)
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.CredentialStore.store(CredentialStore.java:226)
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.tool.CredentialStoreCommand.addAlias(CredentialStoreCommand.java:513)
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.tool.CredentialStoreCommand.execute(CredentialStoreCommand.java:421)
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:85)
        at org.jboss.modules.Module.run(Module.java:353)
        at org.jboss.modules.Module.run(Module.java:321)
        at org.jboss.modules.Main.main(Main.java:604)
Caused by: java.security.KeyStoreException: Cannot convert to PKCS11 keys
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storeSkey(P11KeyStore.java:1636)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1126)
        at java.base/java.security.KeyStore.setEntry(KeyStore.java:1591)
        at org.wildfly.secu...@1.19.1.Final//org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.store(KeyStoreCredentialStore.java:392)
        ... 8 more
Caused by: java.security.InvalidKeyException: Unknown algorithm 1.2.840.113549.1.7.1
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:261)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:192)
        at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.storeSkey(P11KeyStore.java:1633)
        ... 11 more

Is there some more options or properties I need to add to my elytron-tool command?

Thanks,

Nate

[Prarthona Paul]

Hi there, 

The main difference between PKCS12 and PKCS11 is, as you mentioned, the non-file-based storage. 

If you look into the docs using this command: ./bin/elytron-tool.sh credential-store --create -h

then you will also notice another option for properties called External and cryptoAlg with the following descriptions: 

external - specifies whether to store data to external storage and encrypted by keyAlias key (defaults to "false")
cryptoAlg - cryptographic algorithm name to be used to encrypt/decrypt entries at external storage "external" has to be set to "true"

I would suppose maybe specifying those options may help

Please let us know if you have any followups. 

-- Prarthona

[Nate]

I definitely played around with external and externalPath but not cryptoAlg. I will give it a try. Thanks!!!